Bug 14743

Summary: claws-mail: fix possible buffer overflow (CVE-2010-5109)
Product: Mageia Reporter: Jani Välimaa <jani.valimaa>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, olchal, rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA4-64-OK MGA4-32-OK advisory
Source RPM: claws-mail-3.11.1-1.mga4 CVE:
Status comment:

Description Jani Välimaa 2014-12-07 10:25:47 CET 
Claws-mail embeds a copy of libytnef, but it's missing the security fix for CVE-2010-5109.

I've added a patch to claws-mail in cauldron and mga4 from upstream git to fix it:
http://git.claws-mail.org/?p=claws.git;a=commit;h=a8df3ae48ad5732018934b378abb11a022735c5e

Please test claws-mail pkgs from core/updates_testing.

More info:
==========
https://bugs.debian.org/771360
https://bugzilla.redhat.com/show_bug.cgi?id=831322

RPMs:
=====
claws-mail-3.11.1-1.1.mga4
claws-mail-tools-3.11.1-1.1.mga4
claws-mail-devel-3.11.1-1.1.mga4
claws-mail-plugins-3.11.1-1.1.mga4
claws-mail-archive-plugin-3.11.1-1.1.mga4
claws-mail-bogofilter-plugin-3.11.1-1.1.mga4
claws-mail-gdata-plugin-3.11.1-1.1.mga4
claws-mail-smime-plugin-3.11.1-1.1.mga4
claws-mail-pgpcore-plugin-3.11.1-1.1.mga4
claws-mail-pgpinline-plugin-3.11.1-1.1.mga4
claws-mail-pgpmime-plugin-3.11.1-1.1.mga4
claws-mail-spamassassin-plugin-3.11.1-1.1.mga4
claws-mail-acpi-plugin-3.11.1-1.1.mga4
claws-mail-att_remover-plugin-3.11.1-1.1.mga4
claws-mail-bsfilter-plugin-3.11.1-1.1.mga4
claws-mail-fancy-plugin-3.11.1-1.1.mga4
claws-mail-fetchinfo-plugin-3.11.1-1.1.mga4
claws-mail-mailmbox-plugin-3.11.1-1.1.mga4
claws-mail-newmail-plugin-3.11.1-1.1.mga4
claws-mail-notification-plugin-3.11.1-1.1.mga4
claws-mail-perl-plugin-3.11.1-1.1.mga4
claws-mail-python-plugin-3.11.1-1.1.mga4
claws-mail-rssyl-plugin-3.11.1-1.1.mga4
claws-mail-vcalendar-plugin-3.11.1-1.1.mga4
claws-mail-vcalendar-plugin-devel-3.11.1-1.1.mga4
claws-mail-attachwarner-plugin-3.11.1-1.1.mga4
claws-mail-spam_report-plugin-3.11.1-1.1.mga4
claws-mail-tnef_parse-plugin-3.11.1-1.1.mga4
claws-mail-address_keeper-plugin-3.11.1-1.1.mga4
claws-mail-clamd-plugin-3.11.1-1.1.mga4
claws-mail-pdf_viewer-plugin-3.11.1-1.1.mga4
claws-mail-libravatar-plugin-3.11.1-1.1.mga4

Reproducible: 

Steps to Reproduce:
Jani Välimaa 2014-12-07 10:26:39 CET

Source RPM: claws-mail-4.11.1 => claws-mail-3.11.1-1.mga4

Comment 1 David Walser 2014-12-07 16:43:12 CET 
Why isn't it using the system libytnef?
Comment 2 Jani Välimaa 2014-12-07 17:31:00 CET 
Most probably because of latest libytnef release is from 2004. Claws-mail devs have also made some changes to the code.
Comment 3 David Walser 2014-12-07 18:08:51 CET 
So libytnef is only used by evolution.  You'd think developers of two GNOME mail programs could get together to co-maintain it.  Anyway, I wonder if claws-mail's changes could just be integrated into the system one then.
Comment 4 Lewis Smith 2014-12-08 21:53:23 CET 
To help picking the long list of pkgs, here they are from Description sorted:

claws-mail-3.11.1-1.1.mga4
claws-mail-acpi-plugin-3.11.1-1.1.mga4
claws-mail-address_keeper-plugin-3.11.1-1.1.mga4
claws-mail-archive-plugin-3.11.1-1.1.mga4
claws-mail-att_remover-plugin-3.11.1-1.1.mga4
claws-mail-attachwarner-plugin-3.11.1-1.1.mga4
claws-mail-bogofilter-plugin-3.11.1-1.1.mga4
claws-mail-bsfilter-plugin-3.11.1-1.1.mga4
claws-mail-clamd-plugin-3.11.1-1.1.mga4
claws-mail-devel-3.11.1-1.1.mga4
claws-mail-fancy-plugin-3.11.1-1.1.mga4
claws-mail-fetchinfo-plugin-3.11.1-1.1.mga4
claws-mail-gdata-plugin-3.11.1-1.1.mga4
claws-mail-libravatar-plugin-3.11.1-1.1.mga4
claws-mail-mailmbox-plugin-3.11.1-1.1.mga4
claws-mail-newmail-plugin-3.11.1-1.1.mga4
claws-mail-notification-plugin-3.11.1-1.1.mga4
claws-mail-pdf_viewer-plugin-3.11.1-1.1.mga4
claws-mail-perl-plugin-3.11.1-1.1.mga4
claws-mail-pgpcore-plugin-3.11.1-1.1.mga4
claws-mail-pgpinline-plugin-3.11.1-1.1.mga4
claws-mail-pgpmime-plugin-3.11.1-1.1.mga4
claws-mail-plugins-3.11.1-1.1.mga4
claws-mail-python-plugin-3.11.1-1.1.mga4
claws-mail-rssyl-plugin-3.11.1-1.1.mga4
claws-mail-smime-plugin-3.11.1-1.1.mga4
claws-mail-spam_report-plugin-3.11.1-1.1.mga4
claws-mail-spamassassin-plugin-3.11.1-1.1.mga4
claws-mail-tnef_parse-plugin-3.11.1-1.1.mga4
claws-mail-tools-3.11.1-1.1.mga4
claws-mail-vcalendar-plugin-3.11.1-1.1.mga4
claws-mail-vcalendar-plugin-devel-3.11.1-1.1.mga4

CC: (none) => lewyssmith

Comment 5 Lewis Smith 2014-12-09 18:58:54 CET 
Testing MGA4 x64 real hardware.

Installed from normal repos all the Claws modules cited (which pulled in many other things, worst ClamAV and its huge database).
Configured it to an e-mail account, and sent a coupe of messages to myself. All OK.

Updated from Updates Testing all the pkgs to 3.11.1-1.1.mga4.
Continued use of the program, plus a few extras like queueing outgoing msgs before sending them, creating sub-folders, moving msgs into them, emptying Deleted. All OK. OKing this update.

Whiteboard: (none) => MGA4-64-OK

Comment 6 olivier charles 2014-12-14 17:26:02 CET 
Testing on Mageia4x32, real hardware

From claws-mail-3.11.1-1.mga4
-----------------------------
plus all 31 packages listed in Comment 4

Configured a google mail existing IMAP account, retrieved and sent messages. 

To claws-mail-3.11.1-1.1.mga4
-----------------------------

Found my gmail account, sent messages, some with attachments, charged some modules (spamassassin, vcalendar, new mail...), deleted, moved messages, created sub-folder.

Looks good.

CC: (none) => olchal
Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 7 Rémi Verschelde 2014-12-16 20:50:23 CET 
@Jani, David: Can we have an advisory for this one?

CC: (none) => remi

Comment 8 David Walser 2014-12-16 20:58:40 CET 
How's this?

Advisory:
========================

Updated claws-mail package fixes security vulnerability:

Off-by-one error in the DecompressRTF function in ytnef.c in Yerase's TNEF
Stream Reader allows remote attackers to cause a denial of service (crash)
via a crafted TNEF file, which triggers a buffer overflow (CVE-2010-5109).

The claws-mail package contains an embedded copf of libytnef, which has been
patched to fix this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5109
http://sourceforge.net/tracker/?func=detail&aid=2949686&group_id=70352&atid=527487
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083853.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771360
Comment 9 Rémi Verschelde 2014-12-16 21:24:52 CET 
Perfect, advisory uploaded :-)
Validating.

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK adviory
CC: (none) => sysadmin-bugs

David Walser 2014-12-16 22:21:30 CET

Whiteboard: MGA4-64-OK MGA4-32-OK adviory => MGA4-64-OK MGA4-32-OK advisory

Comment 10 Mageia Robot 2014-12-19 16:07:14 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0531.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 11 David Walser 2014-12-22 20:30:00 CET 
LWN made a page for this CVE:
http://lwn.net/Vulnerabilities/627327/

as their previous page for libytnef didn't have a CVE listed.  I've let them know that they're the same:
http://lwn.net/Vulnerabilities/506955/